I have an installation that offloads SSL decryption on our load balancer. We would like to set secure cookies in our application and thus need IIS to recognize secure traffic even though all traffic to IIS is over HTTP. I've taken my direction from the excellent article at http://www.jamescrowley.co.uk/2014/03/07/ssl-termination-and-secure-cookiesrequiressl-with-asp-net-forms-authentication/
I have done the following after reading James Crowley's article.
1) setup a rule in my load balancer that sets a header "X-Forwarded-Proto" with a value of http or https depending on the original request protocol.
2) installed rewrite 2 on IIS all servers behind the LB.
3) allowed the HTTPS server variable at the server level. I've also tried allowing at the website level.
4) written a quick test website that displays all request headers and server variables.
5) written a rule for all pages with a condition that recognizes the HTTP_X_FORWARD_PROTO header.
6) Added an action that attempts to set the HTTPS server variable to "on" when the HTTP_X_FORWARD_PROTO value = https.
All of this works with the exception of setting the HTTPS server variable. I've confirmed my rules conditional logic by setting a custom server variable "HTTP_TEST" and it works as expected, but setting the HTTPS built in variable fails using the same rule. What am I missing?
Thank you in advance,
John